Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for ECDSA certificates #26

Closed
ghost opened this issue Oct 14, 2018 · 11 comments
Closed

Add support for ECDSA certificates #26

ghost opened this issue Oct 14, 2018 · 11 comments

Comments

@ghost
Copy link

ghost commented Oct 14, 2018

MeshCentral currently throws an exception and says that it only supports RSA when you replace the automatically generated certificate with an ECDSA certificate (e.g. when using MeshCentral in TLS Offloading mode).
@Ylianst
Copy link
Owner

Ylianst commented Oct 16, 2018

This is not good. Do you have a way to generate such a certificate or have a sample certificate your can mail me? I imagine only the public portion on the certificate is provided to MeshCentral? - Thanks.

@ghost
Copy link

ghost commented Oct 26, 2018

@Ylianst I can confirm that an error message appears when you replace the default webserver certificate with an ECDSA certificate. This is the error message in question from mesherrors.txt:

-------- 10/26/2018, 6:08:12 PM ---- 0.2.2-m --------

/meshcentral/node_modules/node-forge/js/x509.js:1274
    throw new Error('Cannot read public key. OID is not RSA.');
    ^

Error: Cannot read public key. OID is not RSA.
    at Object.pki.certificateFromAsn1 (/meshcentral/node_modules/node-forge/js/x509.js:1274:11)
    at Object.pki.certificateFromPem (/meshcentral/node_modules/node-forge/js/x509.js:716:14)
    at Object.obj.GetMeshServerCertificate (/meshcentral/node_modules/meshcentral/certoperations.js:230:42)
    at CreateMeshCentralServer.obj.StartEx2 (/meshcentral/node_modules/meshcentral/meshcentral.js:385:35)
    at Server.<anonymous> (/meshcentral/node_modules/meshcentral/redirserver.js:108:13)
    at Object.onceWrapper (events.js:273:13)
    at Server.emit (events.js:182:13)
    at emitListeningNT (net.js:1320:10)
    at process._tickCallback (internal/process/next_tick.js:63:19)

Here is the public portion of an ECDSA certificate that you can use for testing purposes:

-----BEGIN CERTIFICATE-----
MIIBtjCCAV0CFGuQrjcG9YbJi+rU5i3OMORbcmVGMAoGCCqGSM49BAMCMF4xCzAJ
BgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTYW4gRGll
Z28xEDAOBgNVBAoMB0V4YW1wbGUxFDASBgNVBAMMC2V4YW1wbGUuY29tMB4XDTE4
MTAyNjE4MjcyN1oXDTE5MTAyNjE4MjcyN1owXjELMAkGA1UEBhMCVVMxEzARBgNV
BAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVNhbiBEaWVnbzEQMA4GA1UECgwHRXhh
bXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
BwNCAAQzm9Cr/DMpsVBkjAIo+/E+bPYm/QXvsqXr8FlEjgu053hsSIG88eEAZDM6
J1I3HTuq0Frn+IqJfwpyezYA6LtzMAoGCCqGSM49BAMCA0cAMEQCIF2BAITu5kyo
oOsux/Uebq+pSLtt4esib26t2KnozFl+AiBgkGDBVgbeQrAR7mVGmd/KhnWa0ODv
Z/ucirO6TkfDog==
-----END CERTIFICATE-----

@ghost
Copy link

ghost commented Oct 26, 2018
edited by ghost

I think I've discovered the cause of this issue. MeshCentral is using the node version of forge for its native TLS implementation in Javascript. According to this, this and this issue on their GitHub project page, forge doesn't support ECDSA certificates yet. Unless there is a viable alternative to forge, there's probably nothing @Ylianst can do to solve this issue other than to wait for them to implement support for it.

Edit: I think crypto-browserify might be a suitable alternative to forge that supports ECDSA.

@Ylianst
Copy link
Owner

Ylianst commented Oct 27, 2018
edited

I may still be able to fix this because I don't need to do any certificate operations on this TLS cert, I just need to make sure the server and agents both see the same cert by having the same hash. So, if I work on this a bit I could hash the ECDSA cert on both sides correctly and not need ForgeJS at all.

Thanks for the ECDSA cert, I can give it a try.

@ghost
Copy link

ghost commented Oct 27, 2018

@Ylianst Awesome, I'm glad to hear that. Good luck with implementing this feature!

@ghost
Copy link

ghost commented Dec 1, 2018

@Ylianst I noticed that non-RSA cert hashes are being calculated after a recent commit, but it doesn't seem to be fully supported yet. The hashes that MeshCentral and MeshAgent calculate are different from each other. Is it supposed to be working right now?

@Ylianst
Copy link
Owner

Ylianst commented Dec 2, 2018

I got the server ready, but the agent is not. So ECDSA will not work yet. Hope to start testing with a ECDSA cert this week.

@ghost
Copy link

ghost commented Dec 2, 2018

@Ylianst You are on a roll lately. I love your passion for this project!

@Ylianst
Copy link
Owner

Ylianst commented Dec 5, 2018

Just published MeshCentral v0.2.4-a with ECDSA support for certificates in the reverse-proxy. Only the MacOS agent does not support it in this version (next time MacOS is compiled on our side, the support for ECDSA will be there).

To be clear, MeshCentral will only generate and handle RSA certificates on it's own, however, if a reverse-proxy like NGNIX is in front of MeshCentral and it has a ECDSA certificates, MeshCentral and the MeshAgents will handle it correctly.

Testing and feedback appreciated.

@ghost
Copy link

ghost commented Dec 5, 2018

@Ylianst I tested it and can confirm that MeshCentral works with ECDSA certificates now. I think you can close this issue.

@Ylianst Ylianst closed this as completed Dec 6, 2018
@snyk-bot snyk-bot mentioned this issue Jun 26, 2020
Open
@whlsxl
Copy link

whlsxl commented May 29, 2023

I use lego to generate the TLS cert, the default --key-type is ec256. When I link the cert file to webserver-cert-private.key & webserver-cert-public.crt, forge not support ECDSA.

But I think that's not a big deal, just incase someone has the same problem.

https://go-acme.github.io/lego/usage/cli/options/
digitalbazaar/forge#925

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@whlsxl @Ylianst